posted on 2006-03-28, 00:00authored byAhren Studer, Chenxi Wang
Network attacks often employ scanning to locate vulnerable hosts and services. Unimpeded scanning can lead to the subversion of an entire vulnerable population in a matter of minutes. Fast and accurate detection of local scanners is key to contain a spreading epidemic in its early stage. Existing scan detection schemes can detect fast scanners whose behavior can be clearly delineated from that of legitimate traffic. Detecting slow scanners, however, is more difficult. The difficulty arises partially from the fact that these detection schemes use statically determined detection criteria, and as a result do not respond well to traffic perturbations. In this paper, we present two adaptive scan detection schemes, Success Based (SB) and Failure Based (FB), both of which change detection criteria dynamically based on traffic statistics. FB is designed for fast detection and is particularly well suited for controlled computing environments with well-understood traffic characteristics. SB is more versatile and able to perform well in a wide range of traffic scenarios. We evaluate the proposed schemes analytically as well as empirically using real traffic and attack traces. Our results show that against fast scanners, the adaptive schemes are able to render similar detection precision as the traditional static schemes. For slow scanners, however, the adaptive schemes are much more effective, both in terms of detection precision and speed. Specifically, both SB and FB have non-linear properties not present in other schemes. These properties permit a lower Sustained Scanning Threshold and a robustness against perturbations in the background traffic.